On August  25, 2022, a jury in California awarded $31 million to family members of victims of a January 2020 helicopter crash. The award did not involve liability over the cause of the crash, nor an allegation of wrongful death. In fact, the award had nothing to do with the crash itself. The award related to improper release of crash-scene photos of the crash victims, captured by first responders who responded to the scene. News of the crash (and its victims) was widely covered in news and sports media outlets alike, namely because one of the victims was basketball star Kobe Bryant and his daughter, Gianna. Since the time of that initial crash a civil case involving the crash scene photos culminated with this jury verdict, which can hopefully bring some closure to those affected by this sad and unfortunate tragedy.

Notwithstanding its notoriety due to the fact a significant sports figure was involved, the basic elements of the case and the resulting award serve as an important and sobering reminder of the need to place patient privacy and confidentiality at the top of the duties EMS crewmembers owe to patients -  right along with  providing and documenting their care.  Testimony during the trial outlined that numerous LA County Sheriff and Fire Department personnel shared the crash scene photos both electronically and in person. In short, the jury determined the Sheriff’s Office and Fire Departments both lacked proper training and policies to prevent improper dissemination of such pictures. Interestingly, the bulk of the pictures were never publicly released, yet sharing of gruesome scene pictures among a select few who were not even at the scene (or had reason to view such pictures) was damage enough.

In general, when healthcare providers think of “privacy and confidentiality,” the first instinct might be HIPAA. Interestingly enough, the lawsuit brought by family members of the crash victims was not rooted in HIPAA – instead, it alleged emotional distress and invasion of privacy of the surviving family members. The basic argument was that by disclosing photos of their loved ones, the LA County Sheriff and firefighters violated the rights of the families of the victims because the family members were “unable to control images of the remains of their loved ones.” The result of this case is a not-so-subtle reminder that non-HIPAA privacy and confidentiality violations can be just as costly (if not more so) than HIPAA violations. As a result, EMS needs to be just as aware of all facets of patient privacy – not just HIPAA. Virtually every state has several laws prohibiting invasion of privacy with potential compensatory and punitive damages that could run into millions of dollars in a successful civil trial.

The case developed only after two private citizens submitted complaints to the County alleging that crash photos were being disseminated to the public. (That degree of public dissemination and to whom such photos were shared and under what context became critical areas of discussion as the case proceeded.) That complaint led to internal investigations, individual punishments, acknowledgement that the photos were leaked, and a new invasion of privacy bill known as the “Kobe Bryant Act” which makes it a misdemeanor crime (punishable by up to a $1,000 fine) for first responders in California to share photos of a deceased  person at a crime scene for any purpose other than official law enforcement purposes. Sound a little familiar? Absolutely. This mirrors some of the basic privacy rights that come with HIPAA for covered entities. But this basic right of privacy extends to non-HIPAA-covered entities like first responders, fire fighters and police officers, potentially plugging a “HIPAA hole” that has existed for years in a discord between police/ fire and EMS when it comes to taking, sharing, and disseminating patient information of patients or victims of crimes.

While the case did not directly involve EMS employees (or HIPAA), the resulting jury verdict teaches some obvious (and some nuanced) lessons and reminders about the basics of privacy that every EMS entity must practice:  

1. Investigate: Any allegation of improper conduct, no matter how minor, must be thoroughly investigated. Improper use or disclosure of patient records, including photos, must be tracked to downstream recipients. Ensuring electronic copies (and even latent remains) are properly deleted or destroyed is an important, but sometimes challenging task (especially in our tech-heavy world). Simply deleting images or confidential information from a device is not always enough – sweeping things under the rug doesn’t make a problem disappear.  ​

2. Minimum necessary: In many cases, the taking of crime scene photos is a perfectly acceptable and critical component of law enforcement activities. It can also be appropriate to take images of a scene or patient for legitimate patient treatment purposes (such as to show the trauma team the mechanism of injury). But that must be tightly controlled by a well described policy and those images should only be taken with company equipment and not personal smart phones as was done in the Kobe Bryant case. However, it’s knowing when, where, and with whom such photos can be shared that is lost on so many of us. Certainly, ongoing investigations, police work, and even QA/QI purposes are justifiable reasons to share sensitive information among those with a need to know (including crime scene photos). However, gossip sessions, uploading of patient images to the internet or social media sites, or sharing with strangers (or even co-workers) in a bar are definitely not appropriate. Remember to think about the target audience and whether that audience has any right to see or hear the information you’re intending to share. 

3. “Public” dissemination is not the standard: Sharing information, photos or videos of sensitive patient situations or crime scenes with anyone who is not on a “need to know basis” is inappropriate, and in some cases, illegal. The fact the information was not disclosed to the general public and/or publicly posted does not mitigate the disclosure. Release to any one person, who had no reason to view the information, is wrong. So is taking images in the first place if you have no legal right or legitimate job-related need to do so. As noted above, unless all electronic copies of the material are properly deleted and sanitized, it’s always possible that latent copies could arise in the future. Family members, confidants, and “friends” with no direct involvement in a patient care situation have no right to receive or even view sensitive information. Period.  

4. More than HIPAA: When it comes to patient privacy, many EMS agencies (as covered entities) think only about HIPAA. The reality (as proven by this verdict) is that there are numerous other privacy laws or causes of action that are similar to, and have larger penalties than, HIPAA. HIPAA penalties are set by regulation and statute. Certain tort cases, including negligence, invasion of privacy, intrusion upon seclusion or negligent or intentional infliction of emotional distress have no set penalty. Instead, the penalty or “award” is in the hands of a jury in a civil liability case when these state law tort actions are in play. Remember, there is no “private right of action” under HIPAA, but the restrictive HIPPA regulations that favor patient privacy have become the “standard of care” by which health care providers are judged by juries in these civil lawsuits brought under state law. Never leave your fate in the hands of a jury, as juries are often unpredictable. More importantly, never commit an offense that could lead to a civil complaint in the first place.  Remember, you are only one call away from a $10 million – or higher – jury verdict.

5. No more personal devices: Owners and high-ranking officials of EMS agencies should consider not allowing EMS crewmembers to use their personal devices while on duty – at all. Or, if such personal devices are permitted, such use should be prohibited while actively involved in patient care and other times when work activities need to be performed. If such policy restrictions are not implemented by the agency, crewmembers should avoid temptation while on calls and simply leave the personal device at the station, or in a locker. Unfortunately, personal devices have become a necessary appendage, and most of us cannot seem to function when our smartphones are more than an arms-length away. That same device which is the lifeblood of society – with the capability of amazingly high-quality digital imaging - can also become the weapon that can crumble your organization if patient information, photos or other sensitive information is improperly captured or shared. The best way to avoid improper images of victims, patients, and crime scenes to exist in the first place is to eliminate the technology to capture such images.

6. Policies and training: Like it or not, people don’t always think rationally. The inability to process rational thoughts is often directly related to tragic events.  This spontaneous loss of rationalization occurs even quicker when a celebrity is involved. (In the Kobe Bryant case, it was reported that several responders climbed through rough terrain solely to the human remains for no other purpose than to take pictures of the bodies and the county sheriff admitted in the trial that there was “no playbook” for first responders using their personal devices to snap crash site photos.)  Ironically, EMS practitioners  are taught to be able to manage stress, pressure, work in demanding situations, and be able to think on their toes when human lives are on the line. Why isn’t that same ability to remember life-saving techniques, what medication to administer, or how to treat a patient (clinically) applied to more common-sense and rational behavior like respecting privacy and confidentiality? A major factor, at least in the Kobe crash scene photos case, was a lack of policies and training as to fundamental “right vs. wrong,” when it comes to on-scene behaviors. Just as EMTs and paramedics receive annual training on clinical skills, EMS agencies must perform privacy training and reminders on a routine basis. It’s never enough to provide one quick HIPAA training and expect all EMS crewmembers to remember how to act. It’s also not enough to have a minimal policy (or worse:  none at all) to address fundamental patient privacy rights. Many of us learn by doing and become better at what we do by repetition. We cannot become better patient advocates or protectors of patient privacy if training and policies are not properly implemented and reinforced.